Support Forums Reveal Soft Underbelly of Critical Infrastructure

We hear a lot about vulnerabilities in industrial control system (ICS) software. In fact, that’s all we seem to hear about these days. The truth is: there’s a lot to write about. In just the last month, the Department of Homeland Security’s ICS-CERT warned its members about the ability of sophisticated – and even unskilled – attackers to use tools like the Shodan and ERIPP search engines to locate and attack vulnerable industrial control systems (PDF) that are accessible from the public Internet. In the meantime, every couple of weeks brings revelations about serious and remotely exploitable software holes. Most recently, ICS-CERT warned about a critical vulnerability EOScada (PDF), a Windows-based Energy Management System that is used to configure and manage intelligent electronic devices (IEDs) used in electrical, water, sewage and gas applications.

Systems with access to industrial automation systems are among those listed on support forums for those struggling with malware infections.

But what about real evidence of compromised SCADA and industrial control systems? That’s a taller order. After all: most companies that have been compromised in some form don’t want to make that information public. Just this week, in fact, there were reports about compromises at a string of high profile companies, including Coca Cola Corp., that went unreported, despite SEC rules that require publicly traded firms to disclose any breaches that might be material to shareholders. Infrastructure providers like public utilities and energy companies can be even more secretive – preferring to manage their own problems rather than undermine their customers’ confidence by going public about embarrassing cyber incidents.

As with many other problems, however, the evidence that SCADA and industrial control systems are prone to security lapses, virus infections and a host of other online ills is right out in the open for anyone who cares to look. And that’s what the security researcher Michael Toecker (@mtoecker) did. Toecker, a consultant at the firm Digital Bond, wrote this week on Digital Bond’s blog that data dumps from laptops and servers used to manage ICS and SCADA systems frequently turn up in online support forums, like this one, in which victims of malware, spyware and other pernicious programs upload look for help from experts.

Toecker said the expert advice forums, filled with diagnostic reports from free tools like HijackThis and DDS, are ample evidence that virus and malware have found their way onto systems with direct connections to both industrial control and SCADA systems. His audit of forum posts at the web site bleepingcomputer.com focused on mentions of ICS programs that interact with electric power infrastructure, including management applications used in electric infrastructure to configure the devices that open and close breakers on transmission and distribution lines.

With a bit of knowledge about the software and a couple of Google searches, Toecker found what he was looking for in no time: anti malware scans of infected systems that were running specialized tools like Schweitzer Engineering Labs (SEL) AcSELerator Software, GE Power’s EnerVista Software (used to configure GE electric power protection products), the MiCOM S1 Suite of Tools for Relays (used to configure MiCOM relays) and the Siemens Digsi 4 Tools(used to configure Siemens Siprotec relays).

In at least one instance, dating from May, 2011, an anonymous user posted a data dump from a laptop that was infected with two pieces of fake anti virus programs. That’s nothing unusual, but the diagnostics from the DDS scan of the system revealed that it was running both the GE EnerVista and SEL AcSELerator clients. “So it was used to either review relay configurations or install relay configurations on SEL and GE digital protective relays,” Toecker observed. Digging deeper into the data from the support forum, Toecker noted evidence of a number of other industrial automation programs, as well. The system, Toecker theorized, likely belonged to a technician responsible for servicing a wide range of automation systems.

His point? Besides the fact that individuals with highly technical jobs will, like most other Internet users, “click on just about anything,” the data dumps – and Toecker links to many others in his post – suggest that infected end users systems could be the pathway to compromising critical infrastructure, including electrical infrastructure.

“With access to a protection relay through a laptop, a malicious program could alter settings in the configuration file, inject bad data designed to halt the relay, or even send commands directly to the relay when a connection was made,” Toecker wrote.

And – even with IP access to vital automation systems blocked, infected laptops belonging to technicians and other contractors could still spread malicious code via serial connections used when servicing ICS devices.

This isn’t the first time that Toecker has dug up evidence of compromises with links to industrial control and SCADA systems. He conducted a similar audit in September of 2011, with similar results. Writing on the Digital Bond blog, Toecker said that his audit this year was prompted by the recent warning from the ICS-CERT about the danger posed by attackers using search engines like Shodan. “I figured there should be another showing of (sp) just how many ICS computer (sp) interact with the Internet, and are even potentially infected with Malware,” he wrote.

2 Comments

Would be nice to have a Industry wide “Reboot Standard.”
Systems should be built with the upfront requirement that they can be rebooted within 60 seconds.

That would strengthen the entire net. Allow for ‘attacks’ to be shut down quickly or quarantined regionally. Difficult for sure – but think of the ability to cope with attacks and to recover for clients.